From 79d68fcc03c1639c1f13343b4b7d5f9f06274295 Mon Sep 17 00:00:00 2001 From: sommerfeld Date: Wed, 13 May 2026 13:43:25 +0100 Subject: feat(thunderbird): migrate to flatpak with NMH + PKCS#11 bridges MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Move Thunderbird from native pacman to org.mozilla.Thunderbird flatpak, mirroring the LibreWolf migration. Bubblewrap isolates the mail client from the rest of $HOME (ssh keys, password store, gpg sockets); intra-process isolation regression is real but minor (same tradeoff as the browser). Three cross-sandbox glue points handled in repo: - run_onchange_after_deploy-thunderbird.sh.tmpl: profile path moves from ~/.thunderbird to ~/.var/app/org.mozilla.Thunderbird/.thunderbird - run_onchange_after_deploy-pteid-pkcs11.sh.tmpl: refactored to iterate over (LibreWolf, Thunderbird) instead of hard-coding LibreWolf, so cartão de cidadão signing/encryption works for S/MIME in TB - run_onchange_after_deploy-tb-eer.sh.tmpl (new): bridges external-editor-revived's native messaging host into the sandbox via a flatpak-spawn --host wrapper + relocated manifest Other surfaces (Bridge, Radicale, libsecret, mako, OpenPGP) are covered by Flathub default permissions. Manual one-shot migration on host (after pulling + just sync): close TB, copy ~/.thunderbird/. into ~/.var/app/org.mozilla.Thunderbird/.thunderbird/, chezmoi apply -v, then xdg-mime default org.mozilla.Thunderbird.desktop x-scheme-handler/mailto. Once verified working, archive the old profile via mv ~/.thunderbird ~/.thunderbird.pre-flatpak.bak. --- meta/flatpak.txt | 1 + meta/mail.txt | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'meta') diff --git a/meta/flatpak.txt b/meta/flatpak.txt index 5fdd5ec..c76b100 100644 --- a/meta/flatpak.txt +++ b/meta/flatpak.txt @@ -12,6 +12,7 @@ io.gitlab.librewolf-community org.chromium.Chromium org.kde.okular org.libreoffice.LibreOffice +org.mozilla.Thunderbird org.torproject.torbrowser-launcher # Portuguese Citizen Card (eID) middleware + GUI. Not on Flathub; ships diff --git a/meta/mail.txt b/meta/mail.txt index 1e65dca..74f6214 100644 --- a/meta/mail.txt +++ b/meta/mail.txt @@ -1,8 +1,9 @@ +# Host-side bits the org.mozilla.Thunderbird flatpak depends on. protonmail-bridge-core -thunderbird # git send-email Perl prereqs (SMTP via local Bridge on 127.0.0.1:1025) perl-authen-sasl perl-mime-tools perl-net-smtp-ssl -# Edit messages in nvim (kernel-style inline patch review without TB mangling) +# Native messaging host binary for External Editor Revived; bridged into the +# TB flatpak by run_onchange_after_deploy-tb-eer.sh.tmpl. external-editor-revived -- cgit v1.3.1